๐จ CVE-2026-56072
Unauthenticated Cross Site Scripting (XSS) in WoodMart <= 8.5.3 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in WoodMart <= 8.5.3 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress WoodMart Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57317
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Simply Schedule Appointments Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57323
Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions.
๐@cveNotify
Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Flash & HTML5 Video Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57324
Unauthenticated Broken Access Control in GIFT4U <= 1.0.10 versions.
๐@cveNotify
Unauthenticated Broken Access Control in GIFT4U <= 1.0.10 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress GIFT4U Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57618
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
๐@cveNotify
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Neve PRO Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57632
Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions.
๐@cveNotify
Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Email Marketing for WooCommerce by Omnisend Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57645
newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions.
๐@cveNotify
newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Newsletters Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57651
Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.
๐@cveNotify
Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Ghost Kit Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57657
Unauthenticated Cross Site Request Forgery (CSRF) in Gmail SMTP <= 1.2.3.19 versions.
๐@cveNotify
Unauthenticated Cross Site Request Forgery (CSRF) in Gmail SMTP <= 1.2.3.19 versions.
๐@cveNotify
Patchstack
Cross Site Request Forgery (CSRF) in WordPress Gmail SMTP Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57663
Contributor SQL Injection in Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7 versions.
๐@cveNotify
Contributor SQL Injection in Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7 versions.
๐@cveNotify
Patchstack
SQL Injection in WordPress Recipe Maker For Your Food Blog from Zip Recipes Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-11919
The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.
๐@cveNotify
The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.
๐@cveNotify
GitHub
vulnerability-wolfram-cloud-14.2/disclosure.md at main ยท PeterRoberge/vulnerability-wolfram-cloud-14.2
Multi-Tenant Classpath Injection Vulnerability in Wolfram Cloud - PeterRoberge/vulnerability-wolfram-cloud-14.2
๐จ CVE-2026-0685
Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
๐@cveNotify
Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.
๐@cveNotify
GitHub
GitHub - edgewall/genshi: Python toolkit for generation of output for the web
Python toolkit for generation of output for the web - edgewall/genshi
๐จ CVE-2026-0828
Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes.
๐@cveNotify
Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes.
๐@cveNotify
Safetica
Safetica | Data Loss Prevention and Insider Risk Management
Safetica protects businesses against insider threats, offers data loss protection, and supports regulatory compliance.
๐จ CVE-2025-32394
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32.
๐@cveNotify
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32.
๐@cveNotify
GitHub
Quadratic memory amplification in AITextSummarizerBlock chunking (DoS via attacker-controlled max_tokens/overlap)
### Summary
There is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of m...
There is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of m...
๐จ CVE-2025-32423
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in ExtractTextInformationBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32.
๐@cveNotify
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in ExtractTextInformationBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32.
๐@cveNotify
GitHub
User-controlled regex in ExtractTextInformationBlock produces O(n^2) output, enabling memory-exhaustion DoS
### Summary
There is a DoS vulnerability in `ExtractTextInformationBlock`. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume ...
There is a DoS vulnerability in `ExtractTextInformationBlock`. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume ...
๐จ CVE-2026-11779
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation.
๐@cveNotify
An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation.
๐@cveNotify
Fluidattacks
PayloadCMS 3.84.1 - Authenticated account lockout bypass through default unlock access | Fluid Attacks
CVE-2026-11779: An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation.
๐จ CVE-2026-28385
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
๐@cveNotify
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
๐@cveNotify
GitHub
doc: update guide to hardening security for LXD by elijahgreenstein ยท Pull Request #18462 ยท canonical/lxd
This PR updates the guide to hardening security for LXD:
Reorganizes the section on limiting network exposure, and provides a detail about why setting core.https_address to a port alone increases ...
Reorganizes the section on limiting network exposure, and provides a detail about why setting core.https_address to a port alone increases ...
๐จ CVE-2026-45405
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user โ including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.
๐@cveNotify
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user โ including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.
๐@cveNotify
GitHub
Harden archive extraction against symlink traversal by josegonzalez ยท Pull Request #8591 ยท dokku/dokku
Hardens git:from-archive and certs:add against tar symlink traversal and arbitrary file write by validating archives prior to extraction, rejecting absolute paths, parent traversal entries, and sym...